Published 15 August 2024
Read the keynote address prepared for delivery by Privacy Commissioner Carly Kind for the IDCARE 10th anniversary event on Wednesday 15 August 2024.
Introduction
I’m honoured to have the opportunity to commemorate the creation 10 years ago of an organisation that would go on to play such a vital role in the promotion and protection of Australians’ privacy, against a backdrop of unprecedented and increasing threats. It is a real testament to David’s vision that he had the foresight to map out a role for a unique and impactful organisation like IDCARE so many years ago, and a credit to the government and business entities that have supported the sustainability of the organisation throughout this period.
The past
Ten years ago, when David was concocting his grand plan for this organisation, the world was not such a different place. Taylor Swift was at the top of the charts, as she still is today. Major data breaches were on the front pages of the papers, as they still are today. Indeed, 2014 saw one of the largest data breaches of the time, that of Target’s US operations, which saw the theft of 40 million debit and credit card numbers.
Indeed, in many ways, 2014 saw the commencement of an era of enhanced attention to privacy, after a long period of what some may label the irrelevance, or even neglect, of privacy rights. At the time, the reality of data-driven business models and their role in creating honeypots of data prone to compromise by cybercriminals or intelligence agencies was coming into public view. We’d had Twitter for about 8 years, Facebook for more than a decade, and Google even longer. The year prior to 2014, NSA contractor Edward Snowden had leaked confidential intelligence documents that revealed among other things the partnerships between major tech firms and intelligence agencies, exposing the granular data and insights that digital platforms had amassed through their emerging dominance.
The Snowden leaks also had the effect of elevating the question of privacy on the agenda of governments around the world. Because the documents exposed in the leaks revealed that US intelligence agencies had been monitoring the activities of certain prominent politicians, the question of privacy norms and rights became a hot topic in international fora including at the United Nations Human Rights Council. Whereas the right to privacy had been a fundamental pillar of key human rights documents, including the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR), privacy had not enjoyed the same amount of attention in the UN human rights systems as other rights. For example, the Human Rights Committee, which oversaw complaints and advisory opinions under the ICCPR, had never issued a general comment (an advisory opinion) on the right to privacy. And there was no special procedures mandate on the right to privacy, as there were on a couple of dozen other rights and human rights issues. Suddenly, with the political crisis caused by the Snowden leaks, a campaign emerged to establish a Special Rapporteur on the right to privacy. I was fortunate to have a front seat to these events, as I was working as a privacy rights campaigner and led the NGO coalition advocating for the mandate to be established.
At the same time, also in 2014, numerous jurisdictions were developing or looking to develop legal remedies for privacy invasions. In the UK, a landmark case of Vidal-Hall v Google was working its way through the courts, concerning the exploitation by Google of certain exceptions to protections in the Safari browser against third-party cookies. The case would become key to establishing a tortious right of action of misuse of personal information under UK law. In parallel, the Australian Law Reform Commission (ALRC) was tasked with designing a statutory cause of action for serious invasions of privacy and produced a lengthy report that same year. That report articulated the important tenet that, ‘While privacy must sometimes be set aside for broader public interests, privacy itself is also a vital public interest.’
The present
Ten years ago, each of these developments were seeds bedding down into the soil of privacy law and policy. Ten years later, they have taken root and begun to bear fruit.
IDCARE today plays a vital role in supporting Australians to address and mitigate the effects of major privacy violations. IDCARE provides an essential service, not only after the fact but from the earliest stages of a data breach, including by monitoring the dark web to identify data breaches, sometimes even before entities themselves know they have been breached. For the past six years, since the OAIC has administered the Notifiable Data Breaches scheme, we have had a productive and gratifying relationship with IDCARE. We hold their purpose and objective in high regard. Entities impacted by data breaches often refer to their services as a step to minimise harm to the impacted communities.
The United Nations Human Rights Council did indeed decide to establish a dedicated privacy mandate in 2014, and Professor Joe Cannataci was appointed the inaugural Special Rapporteur on the right to privacy in 2015. It is an honour to be speaking alongside his successor, Dr Nougrères, today as she undertakes the mandate’s first country visit to Australia. Building on those initial steps to engage with privacy issues in 2014, the UN has subsequently played a critical role in taking forward the global discussion around technology regulation and its intersection with privacy, including most recently through the work on the Global Digital Compact and the High-Level Advisory Body on Artificial Intelligence. As Dr Nougrères has said, regulatory collaboration and cooperation is key to overcoming privacy harms and violations that cross borders and stymie the ability of national regulators, such as the OAIC, to rein in problematic practices, particularly in the online realm.
The progress we have seen in the development of legal norms at the international level is not exactly matched by progress at the national level. Unfortunately, the 2014 ALRC report that designed a statutory tort of serious invasions of privacy has yet to be taken forward. However, as I think we all know, there are many reasons to be hopeful. Privacy Act reform may have stagnated for some time, but this Attorney-General has made recent and intentional efforts to take forward the overdue reform agenda. We very much hope that we will see the fruits of that labour imminently.
The future
So then, let’s look ahead. What can we expect of the next 10 years?
There is a common belief among those in the charity or third sector that the ultimate ambition for one’s organisation should be its disbandment and irrelevance through lack of need. Success means that the issues you’re established to deal with no longer exist, so neither do you. I think such a goal might be slightly too ambitious for IDCARE. The trends of recent years suggest that the threat of data breaches through the efforts of malicious cyber actors is unlikely to diminish, and indeed the risks to Australians are only likely to increase. The last few years have seen some of the largest data breaches in Australian history unfold, and just this year the MediSecure breach has further endangered Australians’ privacy. The Notifiable Data Breaches scheme administered by my office saw a 19% increase in data breaches in the second half of last year, compared to the first half, with 483 breaches being notified. Malicious or criminal attacks remained the leading cause (67%) of data breaches.
Cyber attacks and other data breach incidents are not the only risks to Australians’ privacy, however, and I would be remiss if I didn’t take this opportunity to remind the audience that threats to the protection of individuals’ privacy continue to proliferate. New technologies, while they may offer privacy-preserving opportunities, also create new risks. In particular, the new incentives created by the birth of generative AI to collect and use personal information to train AI models creates a range of challenges to key tenets of privacy law including data minimisation and purpose limitation. We can expect these kinds of challenges to get trickier and more plentiful over the next 10 years.
Which is why it is critical that we continue to push to complete the work that begun more than a decade ago to propose legislative mechanisms for strengthening the protection of privacy under Australian law. This includes the introduction of a statutory tort of privacy, to enable individual Australians to seek a direct right of action in the courts for incursions into their personal or information privacy. However, it also includes an array of other measures that are critical to ensuring that the Privacy Act is fit for purpose in the digital age.
I know many of you are familiar with the key reforms on the table, but just to recap a few that I believe will be critical to ensuring that the status of Australians’ privacy improves, rather than deteriorates, over the next 10 years:
- The introduction of a requirement that data collection, use and disclosure be fair and reasonable will represent a globally novel approach to addressing the power imbalance between individuals and those organisations and entities that handle their personal information, and we hope could take us on a new path that doesn’t rely on broken notions of consent but rather requires entities to grapple with the big picture questions around their data practices.
- New enforcement powers will enable my office to pursue a range of enforcement measures with respect to non-compliance with the Privacy Act. Paired with a specific remit to develop practice guidance on the adoption of new technologies, and an obligation on regulated entities to undertake a privacy impact assessment in certain circumstances, I believe the Privacy Act reforms will place the OAIC in a good position to ensure the Privacy Act is applied in a dynamic way to new and emerging tech trends and practices.
- A mandate to develop a Children’s Online Privacy Code will finally centre children in the debate around privacy and the protection of personal information in Australia, and see the harmonisation of our approach with our peer jurisdictions such as the UK and Canada.
- Finally, with respect to data breaches, as I know this will be of particular interest to my co-panellists today, the Privacy Act reforms contain measures to, among other things:
- shorten the reporting time frames for data breaches to 72 hours
- require entities to take reasonable steps in response to a data breach
- clarify that reasonable steps to secure information includes both technical and governance measures.
I do really believe that these and other changes suggested through the Privacy Act reform process will place us in a good position to continue strong oversight over privacy practices in the ever changing and dynamic digital era. My aspiration, therefore, is that in 10 years we will be standing here celebrating the 20-year anniversary of IDCARE against the backdrop of a vastly strengthened Privacy Act, a high level of compliance across industries, and a robust enforcement ecosystem equipped to tackle persistent, egregious or systemic privacy issues as soon as they occur.
To conclude – a lot has happened in 10 years, and yet in some ways, particularly when it comes to Privacy Act reform, not enough has happened. IDCARE should be extremely proud of their role in adapting to the new challenges and threats the past decade has revealed, and I am sure they are going to continue to act as a critical pillar of support and protection for the next decade. I hope together, including with our international colleagues and as part of an ecosystem of regulators worldwide dedicated to the protection and promotion of privacy rights, we can ensure that this next decade sees us takes leaps and bounds forward.